[openssl-users] Regarding the security of the keys
rsalz at akamai.com
Wed Jul 22 04:46:22 UTC 2015
> Actually that isn't quite right. A properly configured and tuned RBAC policy, when combined with PaX, can very effectively limit all userspace activity (including root access!).
How do you know that the module is installed and actually doing things? How do you know what kernel is actually booted?
> It helps if you can also use a hardware security module to protect your key material.
How do you know that the operations that YOU request are actually the ones being performed? How do you know that the operating system isn't making additional requests of its own?
You have to trust root. No two ways about it.
More information about the openssl-users